When Gov. Jared Polis on March 25 implored Coloradans to observe the stay-at-home order he had issued earlier that week, he let slip a tiny detail that’s had privacy experts on edge ever since: The state was relying on cell phone tracking data to determine whether residents were complying.

“We’re also looking at the different data that is available,” Polis said during the press conference update. “Metadata, which means data through data partners that include things like people that are moving around with cell phones, and how much they are moving when people are pinged.”

The aggregate data, Polis said, doesn’t identify individuals and “is helping us analyze whether the steps Colorado has taken to facilitate social distancing are working and whether we are on track to meet our goals.”

It immediately drew a number of responses on Twitter, with allegations of government tracking and secret use of cell phone information many thought to be private.

Since then, Polis has frequently cited data the state is using to make decisions, saying it reflects one trend or another during the COVID-19 crisis, but he has not identified the data, its source or who is compiling it for him.

When asked about it, gubernatorial spokesman Conor Cahill referred The Denver Post to the state health department, which responded to an open-records request by saying it knew nothing of the data or who was working with it, then directed a reporter to the state police. That agency said it had no information either, but eventually said Polis had personally located free cell phone location data on the internet after reading about it in a newspaper article. The agency sent a statement that said “no one internally is gathering or analyzing the … data on behalf of the governor.”

An April 2 New York Times graphic based on an analysis of cellphone location data shows where people are, and are not, curtailing travel to help prevent the spread of the coronavirus. Click to enlarge.

Later, health department officials told The Post the information was indeed being culled and analyzed on behalf of the governor, but from a group outside state government.

“The (governor’s) Innovation Response Team is using aggregate data to understand the density of people in and around Colorado,” Gabi Johnston, a spokeswoman for the state’s Department of Public Health and Environment joint information center, said in an email to The Post. “This includes (vehicle) traffic data and aggregate mobile phone data.”

The governor created the team to work within the Emergency Operations Center “to bring together public and private sector resources and innovations to the state’s emergency response to the COVID-19 virus,” according to a statement at the time. Part of its focus is to develop mobile and other technologies to help track the spread of the virus and support infected citizens, the statement said.

When pressed by The Post for the source of the cell phone data, Polis’ office then said it was “publicly available Google data” that shows how much interaction is occurring between people in different localities. Google recently announced it was making public anonymized cell phone data to show population movements. Other tech companies that gather or purchase cell phone location data for marketing purposes, such as Unacast, Cuebiq and Ubermedia, have done the same.

Cell phone data from a variety of sources is actually being gathered and filtered for the governor by a team led by at least seven people, several of them high-level corporate executives with information technology companies in Colorado, The Post has learned.

“I started building a volunteer team for the private sector side of the Innovation Response Team the week of March 16,” said Brad Feld, who Polis named to the IRT as well as his Economic Stabilization and Growth Council to help deal with the crisis. “Tim offered to help in any way he could around the COVID crisis.”

Feld and Polis co-founded Techstars in 2006, a company that sought to accelerate investment in early-stage companies and offer mentorship to entrepreneurs. Feld, an investor at Foundry Group, and Miller have a professional and personal history that goes back to Avitek, one of Miller’s earlier tech companies.

Miller, 57, drew together a group, mostly former colleagues and partners at Rally, during a phone call nearly a week before Polis ever uttered the word “metadata” publicly.

“At 4 p.m. on Sunday, March 22, seven of us hopped on a mystery call at the bequest of Tim Miller,” Rachel Weston Rowell, managing partner and executive and team leadership coach at Trail Ridge in Louisville, wrote on CSE’s website. “Tim laid out a vision for building a volunteer corp(oration) to help the governor’s office and the state of Colorado respond quickly to technical needs in the face of the COVID19 crisis.”

The others on the call included: Ryan Martens, Miller’s partner at Rally and founder of the company; Steph Tanzer, the director of product management at VMware Carbon Black in Lafayette and a former software engineer at Rally; Eric Willeke, former transformation services director at Rally who runs his own Colorado business; and Cody Boggs, former operations engineer at Rally.

Within a week the group attracted more than 120 volunteers and a list of another 600 potential collaborators. All volunteers must sign a strict non-disclosure agreement about the group’s work and the data it acquires.

Polis named Miller to the IRT on March 25, the same day he referred to metadata the state was using.

Miller has refused to discuss the CSE project with The Post, the data sources it uses or how it gets the data, saying: “Our current policy is not to speak with the press, which I know is not helpful.”

Similar requests for comment about the project, how it impacts Colorado or how the government is using the data from the others on Martin’s call that day did not receive a response.

In addition to Google, the information the group relies on comes from a New Mexico company, Descartes Labs, which has made public the mobile phone tracking data it culls from a variety of cell phone applications, according to the state’s Emergency Operations Center. Those apps frequently ask users to allow it to track a phone’s location as part of its process – much like a weather app – but the data is also collected outside the app’s normal use, bundled and then sold, typically to marketing companies.

“There are also several data sources that are available from providers, which aggregate mobile de-identified device data with summaries about various movement measures,” Elizabeth Kosar, a public relations volunteer with the group, wrote in an email to The Post. “The information complements the CDOT data to provide additional aggregate information regarding mobility in states and our communities.”

Descartes Labs did not respond to Denver Post emails seeking comment.

Companies can track individual movements to as close as 10 feet and use the information to help with business plans, target marketing and other related products, according to Gladys Kong, CEO of Ubermedia in Pasadena, which has provided similar information to officials in New York and California.

“If you see too many people at the beach, for instance, maybe there should be a warning to disperse them,” Kong said of the data’s usefulness to government during the COVID-19 pandemic. “The information can come from apps such as for weather, navigation, radio, gaming, messenger or dating. It’s a very wide variety.”

That an individual’s movements can be tracked so easily is disconcerting to privacy experts.

“Clearly you want the weather app to use your location to give you relevant weather information,” said Bernard Chao, a professor at the Sturm College of Law at the University of Denver. “But you might not want them to sell it to a data aggregator to use for other purposes.”

Much of the issue lies with apps that require the permission if the consumer wants to use it, Chao said.

“In the United States, if you don’t say yes, you don’t get the service,” Chao said. “In Europe, there is separate consent. The data is automatically used for essential purposes of the app, but they separately need your consent for these non-essential purposes such as tracking for marketing purposes.”

“In the name of combatting the disease, some governments are rushing to expand their use of surveillance technologies to track individuals and even entire populations,” the organization said in a statement. “If left unchecked and unchallenged, these measures have the potential to fundamentally alter the future of privacy and other human rights.”

Polis’ office said the information has been helpful.

“Crowdsourced data and applications are making a positive difference across the world,” Polis spokeswoman Shelby Wieman said in an email. “So many engineers and programmer volunteers have been very helpful in addressing the needs of the state.”

On March 23, a day after the mystery call, a private nonprofit corporation was formed, Citizen Engineers for COVID-19, out of Martin’s home in Boulder, Colorado corporation records show. The nonprofit is the controlling entity of CSE, which is its trade name, those records show.

The nonprofit’s board members were Miller, his wife, Jerri Miller, and Elizabeth Miller, whose relationship to Tim Miller is unclear. That changed on April 8 when the group changed its name to Innovation Response Volunteers Inc., and Jerri and Elizabeth were replaced with Feld and Chad Varra, the former vice president of finance at Rally

Corporation papers declare the nonprofit was formed “in response to a direct request from the Colorado governor’s office to engage, lead, plan and develop rapid-response technology initiatives to help combat COVID-19 threats in Colorado.”

Additionally, it is to “coordinate mitigation and suppression efforts” among a variety of private companies including technology firms “to facilitate technology-based solutions” to assist Polis’ Innovation Response Team.

“It’s a volunteer organization that is doing work for free,” Feld explained. “Since we have expenses associated with things like software licenses, it made sense to organize as a nonprofit so we could raise philanthropic funding.”

The group has no official agreement detailing its obligations to the state.

“IRV is writing software and donating it to the State of Colorado,” Kosar said in an email to The Post. “All volunteers and staff working on behalf of the unified coordination group and State of Colorado must follow all state and CDPS policies and procedures.”

The group’s website – citizensoftwareengineers.org – was created March 24, and lays out the projects it supports, including social distance monitoring. What the website doesn’t say, however, is what data it’s using, instead declaring it is “integrating data sources” and “leveraging private and public data sources.”

“We are using (Colorado Department of Transportation) data from the state system,” Feld explained to The Post. “We are evaluating several other data sources in demo and trial instances.”

“We may additionally create products or services for third parties, including government entities,” the group’s website said in its privacy rules. It includes a laundry list of personal information it collects and can reuse, including registration information, social media interactions, cell phone data and computer browser habits.

“We may use your Personal Information to engage in other legitimate purposes as required or permitted by applicable law,” the policy read. “We may sell, transfer or otherwise share some or all of our business or assets, including your Personal Information, in connection with a business transaction.”

On April 10, following Denver Post inquiries, the group made material changes to its website.

“The analysis conducted by IRV is produced for use exclusively by the State of (Colorado),” Kosar said in an email. “We have since updated our policy to remove all references to ‘selling’ of data, as we are not a commercial venture and will not use data in a commercialized manner. IRV exists solely to serve the public good during this critical time.”